From 1a8abc4db0df72313990bc32109e59d01f4df909 Mon Sep 17 00:00:00 2001 From: Jeff Davis Date: Fri, 8 Feb 2019 13:59:14 -0800 Subject: [PATCH] auth_proxy: optionally restrict auth by home OU This adds a new restrict_by_home_ou setting to auth_proxy. When enabled, if the login request includes an org param, auth_proxy will refuse to authenticate a user unless their home OU matches or is a descendant of that org. Signed-off-by: Jeff Davis --- Open-ILS/examples/opensrf.xml.example | 1 + Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example index 156562b82b..7e4666fca0 100644 --- a/Open-ILS/examples/opensrf.xml.example +++ b/Open-ILS/examples/opensrf.xml.example @@ -554,6 +554,7 @@ vim:et:ts=4:sw=4: 103 104 + false --> diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm index 1f7832c653..761aeb30a4 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy.pm @@ -251,6 +251,14 @@ sub login { $logger->debug("Authenticated username '" . $args->{'username'} . "' has no Evergreen account, aborting"); return OpenILS::Event->new( 'LOGIN_FAILED' ); } else { + my $restrict_by_ou = $authenticator->{restrict_by_home_ou}; + if ($args->{org} and defined($restrict_by_ou) and $restrict_by_ou =~ /^t/i) { + my $descendants = $U->get_org_descendants($args->{org}); + unless (grep $user->[0]->home_ou, @$descendants) { + $logger->debug("Matching user does not belong to this org, aborting"); + return OpenILS::Event->new( 'LOGIN_FAILED' ); + } + } $args->{user_id} = $user->[0]->id; } -- 2.11.0